One More Take on Gawker

Forget about everything that’s been made of password strength; it’s a red herring. True, you shouldn’t be using one common password across all sites, but that’s not a password selection issue. Should you pick good quality passwords that aren’t easily guessable? Absolutely. That being said, let’s forget about the rest of the rules, with perhaps the exception of length, and talk a bit about what actually happened with Gawker.

Gawker CTO Thomas Plunkett sent around a detailed memo to personnel last Friday discussing the incident, what happened, and what they were doing going forward. Overall, it’s a mildly interesting read, but nothing terribly unexpected. However, it does give some insights into what happened (a source code breach – NOT a password compromise as was originally reported/theorized). The main story here seems to be that they were caught flat-footed, unprepared for a serious incident, and – like many organizations – had been cutting security corners.

On why they failed in such a massive way, Plunkett talks about their making themselves a sizable target, but also includes a couple other reasons:

“…we never planned for such an event, and therefore had no systems, or processes in place to adequately respond.”

and

“Our development efforts have been focused on new product while committing relatively little time to reviewing past work. This is often a fatal mistake in software development and was central to this vulnerability.”

This incident, and Plunkett’s sober assessment, underscores three key issues with which companies should be concerned:

Planning for failure is imperative. Survivability hinges on being prepared. Failure is inevitable (and not necessarily all bad!).

Processes are very important; possibly more important than policies. When bad things happen, you need to have a rip cord to pull.

Proactive security measures, like secure coding practices and regular assessments, are not just “overhead expense.” They can help prevent embarrassing situations that expose a lack of preparation and forethought.

In the end, the biggest fault here was a lack of adequate risk management strategy. Gawker did not take a legally defensible approach that could have been leveraged progressively to protect the business and its customers. Fundamental practices like secure coding, routine assessments, incident response management processes, and reasonable detection and response capabilities could have gone a long way in helping minimize the damage. Instead, they were blind-sided by a deep compromise that they learned about in the same way everyone else did: through mainstream publication of their compromised data. This situation provides an excellent parable going forward about the dangers of cutting security corners and not doing even a minimal amount of due diligence. Hopefully others will learn from their mistakes.